docs: streamline readme

westonplatter · westonplatter · commit be3226dba32a · 2025-04-22T13:46:46.000-06:00
diff --git a/README.md b/README.md
@@ -1,18 +1,26 @@
 ![Banner][banner-image]](https://masterpoint.io/)
 
-# terraform-postgres-logical-dbs
+# terraform-postgres-dbs-roles
 
 [![Release][release-badge]][latest-release]
 
 💡 Learn more about Masterpoint [below](#who-we-are-𐦂𖨆𐀪𖠋).
 
 ## Purpose and Functionality
 
-This repository serves as a child module for managing Postgres Logical Databases.
+This repository serves as a child module for managing Postgres Logical Databases and Roles
 
 ## Usage
 
-```terraform
+### Prerequisites
+
+1. Postgres user with `LOGIN` privileges
+
+### Example
+
+Please see [examples/complete] for a working example.
+
+```hcl
 provider "postgresql" {
   scheme    = "postgres"
   host      = "localhost"
@@ -24,34 +32,102 @@ provider "postgresql" {
 }
 
 module "logical_dbs" {
-  source = "git::https://github.com/masterpointio/terraform-postgres-logical-dbs.git"
-  # Masterpoint recommends pinning every module to a specific version
-  # version     = "x.x.x"
+  source = "git::https://github.com/masterpointio/terraform-postgres-dbs-roles.git?ref=main"
 
   databases = [
     {
-      name = "app1_db"
-      connection_limit = 10
-    },
-    {
-      name = "app2_db"
-      connection_limit = 20
+      name = "app"
+      connection_limit = -1
     }
   ]
-}
-```
 
-### Prerequisites
+  roles = [
+  {
+    role = {
+      name      = "system_user"
+      login     = true
+      superuser = false
+      password  = "insecure-pass-for-demo-app"
+    }
+
+    table_grants = {
+      role        = "system_user"
+      database    = "app"
+      schema      = "public"
+      object_type = "table"
+      objects     = [] # empty list to grant all tables
+      privileges  = ["ALL"]
+    }
+
+    schema_grants = {
+      role        = "system_user"
+      database    = "app"
+      schema      = "public"
+      object_type = "schema"
+      privileges  = ["USAGE", "CREATE"]
+    }
 
-To use this terraform module, you'll need to have a postgres user capable of,
+    sequence_grants = {
+      role        = "system_user"
+      database    = "app"
+      schema      = "public"
+      object_type = "sequence"
+      objects     = [] # empty list to grant all sequences
+      privileges  = ["ALL"]
+    }
+  },
+  {
+    role = {
+      name      = "readonly_user"
+      login     = true
+      password  = "insecure-pass-for-demo-readonly"
+      superuser = false
+    }
 
-- logging into the Postgres server
-- creating Postgres databases.
-There are example Postgres CLI commands for creating a user with these privileges in `examples/complete/fixtures.tfvars`.
+    table_grants = {
+      role        = "readonly_user"
+      database    = "app"
+      schema      = "public"
+      object_type = "table"
+      objects     = [] # empty list to grant all tables
+      privileges  = ["SELECT"]
+    }
 
-### Step-by-Step Instructions
+    sequence_grants = {
+      role        = "readonly_user"
+      database    = "app"
+      schema      = "public"
+      object_type = "sequence"
+      objects     = [] # empty list to grant all sequences
+      privileges  = ["USAGE", "SELECT"]
+    }
+
+    default_privileges = [
+      {
+        role        = "readonly_user"
+        database    = "app"
+        schema      = "public"
+        owner       = "system_user"
+        object_type = "table"
+        objects     = [] # empty list to grant all tables
+        privileges  = ["SELECT"]
+      },
+      {
+        role        = "readonly_user"
+        database    = "app"
+        schema      = "public"
+        owner       = "system_user"
+        object_type = "sequence"
+        objects     = [] # empty list to grant all sequences
+        privileges  = ["USAGE", "SELECT"]
+      },
+    ]
+  }
+]
+
+}
+```
 
-TODO - do we need this section? If so, what's missing that I should fill in?
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## Requirements
diff --git a/examples/complete/fixtures.tfvars b/examples/complete/fixtures.tfvars
@@ -13,40 +13,40 @@ db_sslmode   = "disable"
 
 databases = [
   {
-    name             = "app1_db"
+    name             = "app"
     connection_limit = 10
   }
 ]
 
 roles = [
   {
     role = {
-      name      = "app1_app_user"
+      name      = "system_user"
       login     = true
       superuser = false
       password  = "insecure-pass-for-demo-app"
     }
 
     table_grants = {
-      role        = "app1_app_user"
-      database    = "app1_db"
+      role        = "system_user"
+      database    = "app"
       schema      = "public"
       object_type = "table"
       objects     = [] # empty list to grant all tables
       privileges  = ["ALL"]
     }
 
     schema_grants = {
-      role        = "app1_app_user"
-      database    = "app1_db"
+      role        = "system_user"
+      database    = "app"
       schema      = "public"
       object_type = "schema"
       privileges  = ["USAGE", "CREATE"]
     }
 
     sequence_grants = {
-      role        = "app1_app_user"
-      database    = "app1_db"
+      role        = "system_user"
+      database    = "app"
       schema      = "public"
       object_type = "sequence"
       objects     = [] # empty list to grant all sequences
@@ -55,24 +55,24 @@ roles = [
   },
   {
     role = {
-      name      = "app1_readonly_user"
+      name      = "readonly_user"
       login     = true
       password  = "insecure-pass-for-demo-readonly"
       superuser = false
     }
 
     table_grants = {
-      role        = "app1_readonly_user"
-      database    = "app1_db"
+      role        = "readonly_user"
+      database    = "app"
       schema      = "public"
       object_type = "table"
       objects     = [] # empty list to grant all tables
       privileges  = ["SELECT"]
     }
 
     sequence_grants = {
-      role        = "app1_readonly_user"
-      database    = "app1_db"
+      role        = "readonly_user"
+      database    = "app"
       schema      = "public"
       object_type = "sequence"
       objects     = [] # empty list to grant all sequences
@@ -81,19 +81,19 @@ roles = [
 
     default_privileges = [
       {
-        role        = "app1_readonly_user"
-        database    = "app1_db"
+        role        = "readonly_user"
+        database    = "app"
         schema      = "public"
-        owner       = "app1_app_user"
+        owner       = "system_user"
         object_type = "table"
         objects     = [] # empty list to grant all tables
         privileges  = ["SELECT"]
       },
       {
-        role        = "app1_readonly_user"
-        database    = "app1_db"
+        role        = "readonly_user"
+        database    = "app"
         schema      = "public"
-        owner       = "app1_app_user"
+        owner       = "system_user"
         object_type = "sequence"
         objects     = [] # empty list to grant all sequences
         privileges  = ["USAGE", "SELECT"]
diff --git a/examples/complete/validation_script.py b/examples/complete/validation_script.py
@@ -0,0 +1,129 @@
+import sqlalchemy as sa
+
+
+# authenticate to postgres using the system_user
+engine = sa.create_engine(
+    "postgresql://system_user:insecure-pass-for-demo-app@localhost:5432/app"
+)
+
+engine_ro = sa.create_engine(
+    "postgresql://readonly_user:insecure-pass-for-demo-readonly@localhost:5432/app"
+)
+
+
+
+sql = "SELECT 1"
+
+with engine.connect() as conn:
+    result = conn.execute(sa.text(sql))
+    assert result.fetchall() == [(1,)]
+
+# create tables
+create_tables_sqls = []
+
+create_tables_sql_users = """
+CREATE TABLE IF NOT EXISTS users (
+  id SERIAL PRIMARY KEY,
+  username VARCHAR(50) NOT NULL UNIQUE,
+  email VARCHAR(100) NOT NULL UNIQUE,
+  created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+)
+"""
+create_tables_sqls.append(create_tables_sql_users)
+
+create_tables_sql_categories = """
+CREATE TABLE IF NOT EXISTS categories (
+  id SERIAL PRIMARY KEY,
+  name VARCHAR(50) NOT NULL UNIQUE,
+  created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+)
+"""
+create_tables_sqls.append(create_tables_sql_categories)
+
+create_tables_sql_todos = """
+CREATE TABLE IF NOT EXISTS todos (
+  id SERIAL PRIMARY KEY,
+  user_id INTEGER REFERENCES users(id) ON DELETE CASCADE,
+  category_id INTEGER REFERENCES categories(id),
+  title VARCHAR(100) NOT NULL,
+  description TEXT,
+  due_date DATE,
+  completed BOOLEAN DEFAULT FALSE,
+  created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+);
+"""
+create_tables_sqls.append(create_tables_sql_todos)
+
+print("Creating tables")
+with engine.connect() as conn:
+    for sql in create_tables_sqls:
+        conn.execute(sa.text(sql))
+        conn.commit()
+print("Tables created")
+
+
+# list all tables in the app database
+sql = "SELECT table_name FROM information_schema.tables WHERE table_schema = 'public'"
+
+print("Validating tables")
+with engine.connect() as conn:
+    result = conn.execute(sa.text(sql))
+    tables = result.fetchall()
+    print(f"Tables from the database: {tables}")
+    assert tables == [('users',), ('categories',), ('todos',)], "Tables are not created"
+print("Tables validated")
+
+# Insert test data
+insert_users_sqls = [
+    """
+    INSERT INTO users (id, username, email) VALUES
+    (1, 'alice', 'alice@example.com'),
+    (2, 'bob', 'bob@example.com'),
+    (3, 'charlie', 'charlie@example.com');
+    """,
+
+    """
+    INSERT INTO categories (id, name) VALUES
+    (1, 'Work'),
+    (2, 'Personal'),
+    (3, 'Errands');
+    """, 
+
+    """
+    INSERT INTO todos (user_id, category_id, title, description, due_date, completed) VALUES
+    (1, 1, 'Finish project', 'Complete the infrastructure project.', '2025-04-30', FALSE),
+    (2, 2, 'Buy groceries', 'Milk, Bread, Eggs', '2025-04-23', FALSE),
+    (3, 3, 'Doctor appointment', 'Annual check-up at 3 PM.', '2025-04-25', FALSE),
+    (1, 2, 'Call mom', 'Check in with family.', '2025-04-24', FALSE),
+    (2, 1, 'Write blog post', 'Post about PostgreSQL role management.', '2025-04-27', TRUE);
+    """
+]
+
+print("Inserting test data")
+with engine.connect() as conn:
+    # drop existing data
+    conn.execute(sa.text("TRUNCATE TABLE todos CASCADE"))
+    conn.commit()
+
+    conn.execute(sa.text("TRUNCATE TABLE categories CASCADE"))
+    conn.commit()
+
+    conn.execute(sa.text("TRUNCATE TABLE users CASCADE"))
+    conn.commit()
+    
+
+    for sql in insert_users_sqls:
+        conn.execute(sa.text(sql))
+        conn.commit()
+print("Test data inserted")
+
+# Query Users
+sql = "SELECT username, email FROM users"
+
+print("Validating users")
+with engine.connect() as conn:
+    result = conn.execute(sa.text(sql))
+    users = result.fetchall()
+    print(f"Users from the database: {users}")
+    assert users == [('alice', 'alice@example.com'), ('bob', 'bob@example.com'), ('charlie', 'charlie@example.com')]
+print("Users validated")
diff --git a/main.tf b/main.tf
